errors in results returned
Posted: Wed Jun 30, 2004 10:29 am
The script below is basically me trying to do my first useful application of php.
I'm trying to parse syslog entries in an MS SQL database that look like the following:
"%PIX-4-106023: Deny udp src outside:213.249.135.9/137 dst inside:x.x.x.x/137 by access-group "acl_out""
where x.x.x.x is a public IP address in the subnet of the PIX.
The time, date etc. is also stored in separate columns of the database.
The first stage of the script is designed to look for IP addresses attempting to make a connection to one of our IP addresses - ie. to look for port-scanning attempts. The script then feeds results into an array which is counted and ordered by the IP which has occured the most.
The problem I am having is that seemingly at random I am getting a result that relates to one of our IP addresses that I haven't selected to look for. (ie one of the IP addresses that would be in the $_SESSION['IPs'] array but shouldn't be in this case because the tick box on the form wasn't selected).
I know it must be something I have done wrong but I just can't see what it is.
I know there is quite a lot of code below, but any help would be appreciated:
I'm trying to parse syslog entries in an MS SQL database that look like the following:
"%PIX-4-106023: Deny udp src outside:213.249.135.9/137 dst inside:x.x.x.x/137 by access-group "acl_out""
where x.x.x.x is a public IP address in the subnet of the PIX.
The time, date etc. is also stored in separate columns of the database.
The first stage of the script is designed to look for IP addresses attempting to make a connection to one of our IP addresses - ie. to look for port-scanning attempts. The script then feeds results into an array which is counted and ordered by the IP which has occured the most.
The problem I am having is that seemingly at random I am getting a result that relates to one of our IP addresses that I haven't selected to look for. (ie one of the IP addresses that would be in the $_SESSION['IPs'] array but shouldn't be in this case because the tick box on the form wasn't selected).
I know it must be something I have done wrong but I just can't see what it is.
I know there is quite a lot of code below, but any help would be appreciated:
Code: Select all
<?php
ob_start()
//error handling.
ini_set ('display_errors', 1);
error_reporting (E_ALL & E_NOTICE);
//Code to handle date formatting omitted
//Date format converted
//Check which sites and IP's we are interested in then create an array of the inside IPs
if (isset ($_POST['JDH'])){
$JDHIPs = array ('123.456.789.123', '123.456.789.123', '123.456.789.123');
print_r ($JDHIPs);
} else {
$JDHIPs = NULL;
}
if (isset ($_POST['College'])) {
$CollegeIPs = array ('123.456.789.123', '123.456.789.123', '123.456.789.123', '194.83.245.180');
print_r ($CollegeIPs);
} else {
$CollegeIPs = NULL;
}
if (isset ($_POST['$Arts'])) {
$ArtsIPs = array ('123.456.789.123', '123.456.789.123', '123.456.789.123');
print_r ($ArtsIPs);
} else {
$ArtsIPs = NULL;
}
$_SESSION['IPs'] = array_merge($JDHIPs, $CollegeIPs, $ArtsIPs);
print_r ($_SESSION['IPs']);
print_r ($_POST);
$insideIP=NULL;
$message_ids = array('%PIX-3-106014', '%PIX-4-106023');
//begin SQL and Syslog parsing script
if ($sql = @mssql_connect("172.31.100.7","xxx", "xxx"))
{
print '<p>Successfully connected to MSSQL.</p>';
if ($sql=@mssql_select_db('syslog'))
{
print '<p>Succesfully selected syslog database.</p>';
} else {
print '<p>Failed to select syslog database:' . mssql_get_last_message . '</p>';
}
} else {
die ('<p>Could not connect to MSSQL:' . mssql_get_last_message() .'</p>');
}
$query = "SELECT MsgText FROM syslog.PIXStats WHERE (MsgDate BETWEEN '{$_SESSION['date1']}' AND '{$_SESSION['date2']}')";
$n=0; //set the index for the sourceIPs array below
if ($results = mssql_query ($query)) //check that the query will work and run it
{
while ($array = mssql_fetch_array($results)){
print "{$array['MsgText']}<br />";
/*The code below checks for port scanning or ICMP requests then feeds this into
an array which is then parsed to provide an indication of who is the
most prevalent scanner etc. This works for syslog messages where the inside IP
is prefixed with "inside:" and the outside by "outside:" and the port number, if present
is prefixed by the IP then "/" */
foreach ($message_ids as $key1 => $message_id) { //loop through each message ID we're interested in
if (eregi ($message_id, $array['MsgText'])){
$data1 = strtok ($array['MsgText'], " "); //tokenise string
while ($data1) {
if (eregi ('inside:', $data1)) { //look for tokens relating to inside IP's
$stripinside = substr($data1, 7); //delete inside: from string
if (eregi ('/', $stripinside)) {
$length2 = strlen($stripinside);
$position2 = strpos ($stripinside, '/'); //look for occurence of the "/" before the port number
$needle2 = $length2-$position2;
$insideIP = substr($stripinside, 0, -$needle2); //get IP and remove port number
//print "inside IP = $insideIP<br />";
} else {
$insideIP = $stripinside;
//print "inside IP = $insideIP<br />";
}
}
foreach ($_SESSION['IPs'] as $key2 => $IP) { //loop through the IPs selected above and create a string from each
if ($insideIP == $IP) { //if the IP in MsgText matches an IP from range selected
//above then get source IP of attack
if (eregi ('outside:', $data1)) { //search for token corresponding to source IP
$stripoutside = substr($data1, ; //delete "outside:" from the string
if (eregi ('/', $stripoutside)) { //remove source port number by checking for occurence of '/'
$length1 = strlen ($stripoutside); //calculate length of string
$position1 = strpos ($stripoutside, '/'); //find occurence of '/'
$needle1 = $length1-$position1; //get -ve number to count back from
$sourceIP = substr($stripoutside, 0, -$needle1); //display from 0 to occurence of '/'
//print "<tr><td>$sourceIP</td>";
if (isset ($sourceIPs)){
$sourceIPs[$n]=$sourceIP; //check to see if array exists
$n++; //if it does add stuff to it
} else {
//if not create it
$sourceIPs = array($n =>$sourceIP);
$n++;
}
} else {
if (isset($_POST['include_icmp'])) {
/*include ICMP requests */
$sourceIP = $stripoutside;
print "<tr><td>$sourceIP</td>";
if (isset ($sourceIPs)){
$sourceIPs[$n]=$sourceIP;
$n++;
} else {
$sourceIPs = array($n =>$sourceIP);
$n++;
}
}
}
}
}
}
$data1 = strtok (" ");
}
}
}
}
} else { //query didn't run
die ('<p>Could not retrieve the data because: <b>' . mssql_get_last_message() . '</p>');
}
print '<p><table width="50%" border="4" bordercolor="#FF6633" cellspacing="0" cellpadding="2" align="centre">
<tr><td align="center">Source IP</td><td align="center">No. of connection attempts</td></tr>';
$sortedIPs = array_count_values($sourceIPs);
natsort($sortedIPs);
$rsortedIPs = array_reverse($sortedIPs);
foreach ($rsortedIPs as $key3 => $rsortedIP) {
print "<tr><td><a href="mssqlconnect4.php?ip=$key3" target="_blank">$key3</a></td><td>$rsortedIP</td></tr>";
}
reset($sortedIPs);
mssql_close();
print '</table></p>';
} else { //display the form
.........form stuff
?>